PhenixID Documentation

Configure secondfactor selector

Some environments have multiple http authentication methods to choose from for a specific login. In such cases, the AuthSelector authenticator can be used to present a list of authentication method choices to the end user. To make it even easier for the end user, it is possible to use a secondfactor selector. The second factor selector works like this:

- User authenticates with username and password

- The system, via a pipe, finds out the possible second factor delivery methods for the specific user. The logic can be based on directory user object attributes, tokens enrolled etc.

- The second factor delivery methods are presented for the user to choose from.

Note:

Before you begin start by taking a backup of the phenix-store.json file.

Prereqs:

The administrator should have knowledge about PhenixID HTTP authenticators and pipes configuration.

Enable the second factor selector module

- Login to the configuration manager

- Click on the configuration tab

- Click on the pen next to Modules

- Paste the below modules. Make sure it is pasted on the right level - before you paste, place the cursor after the first character ([). Change "port" and "ssl" flags to suite your environment.

Configure second factor selection pipe

This pipe will fetch the userid and collect possible authentication methods for the user. In the example pipe below, the ldap directory user object attributes mail and mobile will be controlled. If mail contains a value, otp delivery by SMTP will be displayed. If mobile contains a value, otp delivery by SMS will be displayed.

The pipe will also check if the user enrolled for PocketPass and/or OneTouch. If so, option(s) for the(se) method(s) will be displayed as well.

- Login to configuration manager

- Click Configuration tab

- Edit pipes

- Paste pipe below. Edit to suite your environment. Every second factor option is represented as an item with certain properties. Make sure every item returned contains these properties:

* methodDisplayName - this will be displayed as the option to choose for the end user

* URL - this will be the authenticator URL to redirect to if user choose option. Make sure the uri path matches the second factor selector uri (in this example saml/)

* [OPTIONAL] force - (true/false) - set this if you would like to skip the choose dialogue and instead to a automatic redirect to speficied option.

SAML

For SAML scenarios to work properly with the second factor selector, make sure you add a SAMLDataSave authenticator as the first authenticator in the flow (ie the authenticator pointed to in the POSTSSOURL).